[PATCH RFC 4/6] ALSA: pcm: Release memory with reference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Use refmem allocation for the PCM object that holds two PCM devices
(for playback and capture).  This fixes the UAF bug by the delayed
kobj release.

Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
 sound/core/pcm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/core/pcm.c b/sound/core/pcm.c
index 461a10cc0db9..1e96437f3f0e 100644
--- a/sound/core/pcm.c
+++ b/sound/core/pcm.c
@@ -650,7 +650,7 @@ int snd_pcm_new_stream(struct snd_pcm *pcm, int stream, int substream_count)
 	if (!substream_count)
 		return 0;
 
-	snd_device_initialize(&pstr->dev, pcm->card, NULL);
+	snd_device_initialize(&pstr->dev, pcm->card, pcm);
 	pstr->dev.groups = pcm_dev_attr_groups;
 	pstr->dev.type = &pcm_dev_type;
 	dev_set_name(&pstr->dev, "pcmC%iD%i%c", pcm->card->number, pcm->device,
@@ -721,7 +721,7 @@ static int _snd_pcm_new(struct snd_card *card, const char *id, int device,
 		return -ENXIO;
 	if (rpcm)
 		*rpcm = NULL;
-	pcm = kzalloc(sizeof(*pcm), GFP_KERNEL);
+	pcm = snd_refmem_alloc(sizeof(*pcm), card);
 	if (!pcm)
 		return -ENOMEM;
 	pcm->card = card;
@@ -872,7 +872,7 @@ static int snd_pcm_free(struct snd_pcm *pcm)
 	snd_pcm_lib_preallocate_free_for_all(pcm);
 	snd_pcm_free_stream(&pcm->streams[SNDRV_PCM_STREAM_PLAYBACK]);
 	snd_pcm_free_stream(&pcm->streams[SNDRV_PCM_STREAM_CAPTURE]);
-	kfree(pcm);
+	snd_refmem_put(pcm);
 	return 0;
 }
 
-- 
2.35.3




[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Pulse Audio]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux